From aadaad68888217c76e06adf633a4d8b97d39779e Mon Sep 17 00:00:00 2001 From: Krzysztof Gajewski Date: Mon, 15 Feb 2021 23:41:16 +0100 Subject: Add JWT support in HTTP/HTTPS based locations - integration Issue-ID: DCAEGEN2-2536 Signed-off-by: Krzysztof Gajewski Change-Id: I334c66c025e1f3ef59393c3a0fe69493d4a3b5fa --- .../http-https-server/Dockerfile-http-https | 8 +++-- .../http-https-server/README.md | 5 +++ .../apache2/conf/extra/httpd-ssl.conf | 34 +++++++++++++++++++++ .../http-https-server/apache2/conf/httpd.conf | 29 +++++++++++++++++- .../http-https-server/apache2/lib/libjwt.so.1.7.0 | Bin 0 -> 133400 bytes .../apache2/modules/mod_authnz_jwt.so | Bin 0 -> 146696 bytes .../http-https-server/docker-compose.yml | 6 +++- 7 files changed, 78 insertions(+), 4 deletions(-) create mode 100755 test/mocks/datafilecollector-testharness/http-https-server/apache2/lib/libjwt.so.1.7.0 create mode 100644 test/mocks/datafilecollector-testharness/http-https-server/apache2/modules/mod_authnz_jwt.so (limited to 'test/mocks/datafilecollector-testharness/http-https-server') diff --git a/test/mocks/datafilecollector-testharness/http-https-server/Dockerfile-http-https b/test/mocks/datafilecollector-testharness/http-https-server/Dockerfile-http-https index c1f85596c..5a5037f3e 100644 --- a/test/mocks/datafilecollector-testharness/http-https-server/Dockerfile-http-https +++ b/test/mocks/datafilecollector-testharness/http-https-server/Dockerfile-http-https @@ -1,15 +1,19 @@ -FROM httpd:alpine +FROM httpd:2.4 -RUN apk update +RUN apt-get update ENV APACHE_LOG_DIR /usr/local/apache2/logs COPY --chown=root:root apache2/conf /usr/local/apache2/conf COPY --chown=root:root apache2/conf/extra /usr/local/apache2/conf/extra +COPY --chown=root:root ./apache2/lib/libjwt.so.1.7.0 /usr/lib/x86_64-linux-gnu/libjwt.so.1 +COPY --chown=root:root ./apache2/modules/mod_authnz_jwt.so /usr/local/apache2/modules/mod_authnz_jwt.so RUN chmod 644 /usr/local/apache2/conf/.htpasswd RUN chmod 644 /usr/local/apache2/conf/httpd.conf RUN chmod 644 /usr/local/apache2/conf/extra/httpd-ssl.conf +RUN chmod 644 /usr/lib/x86_64-linux-gnu/libjwt.so.1 +RUN chmod 644 /usr/local/apache2/modules/mod_authnz_jwt.so RUN mkdir /usr/local/apache2/certs RUN chown root:root /usr/local/apache2/certs diff --git a/test/mocks/datafilecollector-testharness/http-https-server/README.md b/test/mocks/datafilecollector-testharness/http-https-server/README.md index 77e701175..7902c09d9 100644 --- a/test/mocks/datafilecollector-testharness/http-https-server/README.md +++ b/test/mocks/datafilecollector-testharness/http-https-server/README.md @@ -30,3 +30,8 @@ by using 'docker ps' and stop them if necessary. # Cleaning docker structure Deep cleaning: `docker system prune` + +# mod_authnz_jwt.so + +External library `mod_authnz_jwt.so` was added to the Apache server. This library wasn't changed in any way. +This library is supplied under the Apache License, Version 2.0 (the "License"). diff --git a/test/mocks/datafilecollector-testharness/http-https-server/apache2/conf/extra/httpd-ssl.conf b/test/mocks/datafilecollector-testharness/http-https-server/apache2/conf/extra/httpd-ssl.conf index f4caf357e..24cf51da3 100644 --- a/test/mocks/datafilecollector-testharness/http-https-server/apache2/conf/extra/httpd-ssl.conf +++ b/test/mocks/datafilecollector-testharness/http-https-server/apache2/conf/extra/httpd-ssl.conf @@ -1,5 +1,6 @@ Listen 443 Listen 8080 +Listen 32100 SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES SSLProxyProtocol all -SSLv3 @@ -63,3 +64,36 @@ SSLSessionCacheTimeout 300 SSLCertificateFile /usr/local/apache2/certs/keystore.pem SSLCertificateKeyFile /usr/local/apache2/certs/key.pem + + + ServerAdmin httpserver-onap.org + ServerName httpserver-onap.org + + DocumentRoot /usr/local/apache2/htdocs + AuthJWTSignatureAlgorithm HS256 + AuthJWTSignatureSharedSecret Q0hBTkdFTUU= + AuthJWTIss onap + + AllowOverride None + Options Indexes FollowSymLinks MultiViews + AuthType jwt + AuthName "Restricted Content" + Require valid-user + RewriteEngine On + RewriteCond %{HTTP:Authorization} ^(.*) + RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] + + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + SSLEngine on + SSLProtocol -all +TLSv1.2 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off + + SSLCACertificateFile /usr/local/apache2/certs/truststore.pem + SSLCertificateFile /usr/local/apache2/certs/keystore.pem + SSLCertificateKeyFile /usr/local/apache2/certs/key.pem + diff --git a/test/mocks/datafilecollector-testharness/http-https-server/apache2/conf/httpd.conf b/test/mocks/datafilecollector-testharness/http-https-server/apache2/conf/httpd.conf index ef3ce95f7..58892c461 100644 --- a/test/mocks/datafilecollector-testharness/http-https-server/apache2/conf/httpd.conf +++ b/test/mocks/datafilecollector-testharness/http-https-server/apache2/conf/httpd.conf @@ -50,6 +50,7 @@ ServerRoot "/usr/local/apache2" # #Listen 12.34.56.78:80 Listen 80 +Listen 32000 # # Dynamic Shared Object (DSO) Support @@ -63,6 +64,7 @@ Listen 80 # Example: # LoadModule foo_module modules/mod_foo.so # +LoadModule auth_jwt_module modules/mod_authnz_jwt.so LoadModule mpm_event_module modules/mod_mpm_event.so #LoadModule mpm_prefork_module modules/mod_mpm_prefork.so #LoadModule mpm_worker_module modules/mod_mpm_worker.so @@ -196,7 +198,7 @@ LoadModule dir_module modules/mod_dir.so #LoadModule speling_module modules/mod_speling.so #LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so -#LoadModule rewrite_module modules/mod_rewrite.so +LoadModule rewrite_module modules/mod_rewrite.so # @@ -299,6 +301,31 @@ ServerAdmin you@example.com AuthUserFile /usr/local/apache2/conf/.htpasswd Require valid-user + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + + + ServerAdmin httpserver-onap.org + DocumentRoot "/usr/local/apache2/htdocs" + + AuthJWTSignatureAlgorithm HS256 + AuthJWTSignatureSharedSecret Q0hBTkdFTUU= + AuthJWTIss onap + + AllowOverride None + Options Indexes FollowSymLinks MultiViews + AuthType jwt + AuthName "Restricted Content" + Require valid-user + RewriteEngine On + RewriteCond %{HTTP:Authorization} ^(.*) + RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] + + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined # # DirectoryIndex: sets the file that Apache will serve if a directory diff --git a/test/mocks/datafilecollector-testharness/http-https-server/apache2/lib/libjwt.so.1.7.0 b/test/mocks/datafilecollector-testharness/http-https-server/apache2/lib/libjwt.so.1.7.0 new file mode 100755 index 000000000..b22c52786 Binary files /dev/null and b/test/mocks/datafilecollector-testharness/http-https-server/apache2/lib/libjwt.so.1.7.0 differ diff --git a/test/mocks/datafilecollector-testharness/http-https-server/apache2/modules/mod_authnz_jwt.so b/test/mocks/datafilecollector-testharness/http-https-server/apache2/modules/mod_authnz_jwt.so new file mode 100644 index 000000000..2e2e834e0 Binary files /dev/null and b/test/mocks/datafilecollector-testharness/http-https-server/apache2/modules/mod_authnz_jwt.so differ diff --git a/test/mocks/datafilecollector-testharness/http-https-server/docker-compose.yml b/test/mocks/datafilecollector-testharness/http-https-server/docker-compose.yml index 09b698f89..4e6263ee7 100644 --- a/test/mocks/datafilecollector-testharness/http-https-server/docker-compose.yml +++ b/test/mocks/datafilecollector-testharness/http-https-server/docker-compose.yml @@ -4,17 +4,21 @@ services: http-https-server: container_name: http-https-server-httpd - image: httpd:alpine + image: httpd:2.4 environment: APACHE_LOG_DIR: /usr/local/apache2/logs ports: - "80:80" - "443:443" - "8080:8080" + - "32000:32000" + - "32100:32100" volumes: - ./apache2/conf/.htpasswd:/usr/local/apache2/conf/.htpasswd:ro - ./apache2/conf/httpd.conf:/usr/local/apache2/conf/httpd.conf:ro - ./apache2/conf/extra/httpd-ssl.conf:/usr/local/apache2/conf/extra/httpd-ssl.conf:ro + - ./apache2/lib/libjwt.so.1.7.0:/usr/lib/x86_64-linux-gnu/libjwt.so.1:ro + - ./apache2/modules/mod_authnz_jwt.so:/usr/local/apache2/modules/mod_authnz_jwt.so:ro - ./../certservice/generated-certs/apache-pem:/usr/local/apache2/certs:ro - ./files/onap/http:/usr/local/apache2/htdocs restart: on-failure -- cgit 1.2.3-korg